Provider credential management

Overview

Provider credentials are the API keys and tokens you use to authenticate with AI providers like OpenAI, Anthropic, Google, and others. ModelRiver encrypts these credentials at rest and never exposes them in the UI once saved.

How credentials are stored

• Encrypted at rest using industry-standard encryption
• Masked in the UI: only the last 4 characters are visible after saving
• Never returned via API: credentials cannot be retrieved, only overwritten
• Isolated per project: each project has its own credential store

Adding provider credentials

1. Navigate to Settings → Providers in your project
2. Select the provider (OpenAI, Anthropic, Google, etc.)
3. Enter the API key or token
4. Click Save

The credential is encrypted and stored immediately.

Rotating credentials

To rotate a provider credential:

1. Generate a new API key from the provider's dashboard
2. Navigate to Settings → Providers in ModelRiver
3. Overwrite the existing credential with the new key
4. Verify functionality with a test request
5. Revoke the old key from the provider's dashboard

Alternatively, delete the existing credential and create a new entry.

Error handling

Missing or invalid credentials surface clear errors:

Best practices

• Use dedicated keys: Create provider-specific API keys for ModelRiver rather than sharing keys across services.
• Set spending limits: Configure spending caps on provider dashboards to prevent unexpected costs.
• Monitor provider health: Use ModelRiver's Observability to track provider error rates and latency.
• Test after rotation: Always verify credentials work after rotation before revoking old keys.

Next steps

• Data retention: Understand data storage and purge policies
• Compliance: Audit trails and regulatory considerations
• Troubleshooting: Diagnose credential-related issues